Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs #61

Closed
wants to merge 3 commits into from

Conversation

franferrax
Copy link
Contributor

@franferrax franferrax commented Sep 10, 2024

Hi, here is a JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs backport, based on openjdk/jdk11u#95.

After adjusting the file paths from 11u to 8u, the backport isn't clean, but conflicts are minimal. These include a copyright line and minor java.security-<platform> context mismatches. You can verify this comparing 00beb50 against openjdk/jdk11u@90ad5b1.

On top of that, the code still needed adjustments for the 8u codebase, which were addressed in a separate commit, 53e8134. I made these adjustments in line with 68e393c, the 8u backport of JDK-8207258: Distrust TLS server certificates anchored by Symantec Root CAs.

Testing

I run jdk/tier1 and all the tests under jdk/test/sun/security/ssl, using 64-bit slowdebug and release images, locally built in Fedora Linux 40. Please note that this includes the new X509TrustManagerImpl/Entrust/Distrust.java, which I've also made fail by temporarily undoing the java.security-linux changes. I haven't found any regression against master (currently e32d62e).

Regarding the failures in GitHub Actions, we can see that this also occurred in recent jdk8u-dev pull requests. For example:


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change requires CSR request JDK-8339194 to be approved
  • JDK-8337664 needs maintainer approval

Issues

  • JDK-8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs (Enhancement - P3 - Approved)
  • JDK-8339194: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs (CSR)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u.git pull/61/head:pull/61
$ git checkout pull/61

Update a local copy of the PR:
$ git checkout pull/61
$ git pull https://git.openjdk.org/jdk8u.git pull/61/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 61

View PR using the GUI difftool:
$ git pr show -t 61

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u/pull/61.diff

Webrev

Link to Webrev Comment

@franferrax franferrax changed the title Backport 7d49c52272b54070a13b02708dd7ce5f8e375a06 @franferrax Backport 7d49c52272b54070a13b02708dd7ce5f8e375a06 Sep 10, 2024
@bridgekeeper
Copy link

bridgekeeper bot commented Sep 10, 2024

👋 Welcome back fferrari! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Sep 10, 2024

@franferrax This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

Reviewed-by: sgehwolf, andrew

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@jerboaa, @gnu-andrew) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

@openjdk openjdk bot changed the title Backport 7d49c52272b54070a13b02708dd7ce5f8e375a06 8337664: Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs Sep 10, 2024
@openjdk
Copy link

openjdk bot commented Sep 10, 2024

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added the backport label Sep 10, 2024
@franferrax franferrax marked this pull request as ready for review September 12, 2024 12:06
@openjdk openjdk bot added the rfr Pull request is ready for review label Sep 12, 2024
@mlbridge
Copy link

mlbridge bot commented Sep 12, 2024

Webrevs

Copy link
Contributor

@jerboaa jerboaa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks mostly fine.

private static final Debug debug = Debug.getInstance("certpath");

// SHA-256 certificate fingerprints of distrusted roots
private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(
private static final Set<String> FINGERPRINTS = Collections.unmodifiableSet(new HashSet<>(Arrays.asList(...)));

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in e96486d, please note that the SYMANTEC_TLS distrust policy (which I checked for this backport) does not make the FINGERPRINTS set immutable either:

// SHA-256 certificate fingerprints of distrusted roots
private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(
// cacerts alias: geotrustglobalca
// DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
"FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A",

Should we also update SymantecTLSPolicy.java?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Should we also update SymantecTLSPolicy.java?

No, not in this bug. Feel free to do this as an 8u-only fix via jdk8u-dev pr. The original backport to 8 of https://bugs.openjdk.org/browse/JDK-8207258 didn't do this. That's one of the gotchas of Set.of() backports. It's not terribly important.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a common case, as Severin implies. For the test library, we added internal versions of the listOf and setOf methods to better handle this. It has the advantage that the same error checking (null values, duplicates) is present as on the methods in later JDKs.

I can look at moving that to an internal JDK class instead to cover library cases, and fix the Symantec case then. No reason to delay this critical fix for that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

@jerboaa jerboaa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@openjdk
Copy link

openjdk bot commented Sep 12, 2024

⚠️ @franferrax This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

@openjdk openjdk bot added the approval label Sep 13, 2024
@franferrax
Copy link
Contributor Author

Adding @gnu-andrew for awareness. According to the Crypto Roadmap, this change is targeting 8u, and planned for the October CPU. 23u, 21u, 17u and 11u backports are already integrated.

Copy link
Member

@gnu-andrew gnu-andrew left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Backport looks good to me. Missing collection and time methods are ported to suitable 8u equivalents. java.security changes are duplicated to the set of files in 8u.

I see differences with entrustrootcag4-chain.pem but this seems to be because 11u's version has CRLF line endings for some reason. The 8u one is actually correct in using the usual line endings.

@gnu-andrew
Copy link
Member

Adding @gnu-andrew for awareness. According to the Crypto Roadmap, this change is targeting 8u, and planned for the October CPU. 23u, 21u, 17u and 11u backports are already integrated.

I'm aware of the fix from 21u. Backport looks good so feel free to apply for approval so we can get this in the October release.

@gnu-andrew
Copy link
Member

I'll also take a look at the PR you reference for the tests and see if we can get that fixed in -dev. It won't change these results though.

@franferrax
Copy link
Contributor Author

I see differences with entrustrootcag4-chain.pem but this seems to be because 11u's version has CRLF line endings for some reason. The 8u one is actually correct in using the usual line endings.

I hadn't noticed this, the original version has mixed CR and CRLF, and it got fixed when adjusting and applying the patch. If you prefer it to be a verbatim copy I can easily modify it to match the original.

I'm aware of the fix from 21u. Backport looks good so feel free to apply for approval so we can get this in the October release.

Thanks, here is the approval request.

@gnu-andrew
Copy link
Member

I see differences with entrustrootcag4-chain.pem but this seems to be because 11u's version has CRLF line endings for some reason. The 8u one is actually correct in using the usual line endings.

I hadn't noticed this, the original version has mixed CR and CRLF, and it got fixed when adjusting and applying the patch. If you prefer it to be a verbatim copy I can easily modify it to match the original.

No need to change it. If anything, 11u should be fixed.

I'm aware of the fix from 21u. Backport looks good so feel free to apply for approval so we can get this in the October release.

Thanks, here is the approval request.

Thanks, I didn't see the /approval command for it on this PR.

/approve yes

@openjdk
Copy link

openjdk bot commented Sep 19, 2024

@gnu-andrew
8337664: The approval request has been approved.

@openjdk openjdk bot added ready Pull request is ready to be integrated and removed approval labels Sep 19, 2024
@franferrax
Copy link
Contributor Author

No need to change it. If anything, 11u should be fixed.

Ok, just for the record, 17u, 21u, 23u and mainline also have the mixed line endings in entrustrootcag4-chain.pem.

Thanks, I didn't see the /approval command for it on this PR.

Yes, I manually filled the request in the JBS because other backports requests were done in that way, and I was wondering which label the /approval command would add (jdk8u-fix-request vs jdk8u-critical-request).

@franferrax
Copy link
Contributor Author

/integrate

@openjdk openjdk bot added the sponsor Pull request is ready to be sponsored label Sep 20, 2024
@openjdk
Copy link

openjdk bot commented Sep 20, 2024

@franferrax
Your change (at version e96486d) is now ready to be sponsored by a Committer.

@gnu-andrew
Copy link
Member

/sponsor

@openjdk
Copy link

openjdk bot commented Sep 20, 2024

Going to push as commit 39221f8.

@openjdk openjdk bot added the integrated Pull request has been integrated label Sep 20, 2024
@openjdk openjdk bot closed this Sep 20, 2024
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review sponsor Pull request is ready to be sponsored labels Sep 20, 2024
@openjdk
Copy link

openjdk bot commented Sep 20, 2024

@gnu-andrew @franferrax Pushed as commit 39221f8.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@franferrax franferrax deleted the backport_8337664 branch September 26, 2024 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport integrated Pull request has been integrated
Development

Successfully merging this pull request may close these issues.

3 participants